I have one web application on our server that needs to be referenced by two different domain names, both of which have their own SSL certificates. The application is exactly the same for both domains, but we have to keep the two domain names for legal reasons. The problem is that, since both domains need to have their own SSL certificate, that inside of our IIS 7.5 configuration we have to have two separate IIS applications (both pointing to the same physical location) with their own unique IP address and SSL certificate installed. Now, I know that, due to the nature of SSL communications, that this is by design and that you can't assign more than one SSL certificate per IP address and domain name. My question is… is there any way around this limitation and keep one web application in IIS and have it service two SSL certificates based on host name?

I know that with the basic IIS configuration that this is not possible, but I was thinking that with some sort of combination of external load balancing and/or SSL acceleration servers/services that we could have these servers process the SSL request and leave IIS clean to have one single application. I am not familiar at all with these technologies, hence the reason I am asking if it is theoretically possible. If not, does anyone else know how to achieve this?

1 Answer
1

If the load balancer handled all the SSL encryption for you, and passed only unencrypted traffic to the web server, then yes you could run both sites off of a single web application. I've done this before (with about 5 URLs feeding off of a single Web Application).

That's what I was hoping to hear. Can you provide me any information on the type of load balancer that can be used (can Windows standard load balancing in 2008 R2 handle it)? Do you have any sites that I can reference that can show how it's setup to basically remove the SSL handling from IIS and "move it up a level"?
–
bigmacJan 10 '11 at 19:16

As far as I know NLB can not do it. You'll need a hardware load balancer. In my case we were using Cisco ACE appliances. Nice little boxes, not all that expensive and they got the job done. The SSL offload engine is a bit more if you have a heavy load site (they license based on transactions per second). You'll need to export the certs and put them in the load balancer, then config it to talk over HTTP back. The UI is pretty easy to figure out. Don't have one handy though to look at.
–
mrdennyJan 10 '11 at 19:20